JWT_SECRET_KEY fix 3: key length

Max Azatian · Max Azatian · commit 75513131223f · 2025-07-28T12:25:01.000+02:00
diff --git a/backend/.env b/backend/.env
@@ -1,5 +1,5 @@
 PROJECT_NAME=integr8scode
-SECRET_KEY=your_secret_key_here
+SECRET_KEY=CHANGE_ME_this_is_a_dev_key_min_32_chars_required
 ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=30
 MONGODB_URL=mongodb://mongo:27017/integr8scode
diff --git a/backend/app/config.py b/backend/app/config.py
@@ -45,13 +45,21 @@ class Settings(BaseSettings):
 
     @field_validator("SECRET_KEY")
     @classmethod
-    def validate_secret_key(cls, v: Optional[str]) -> str:
+    def validate_secret_key(cls, v: Optional[str], info) -> str:
         if not v:
             raise ValueError("SECRET_KEY environment variable must be set")
         if len(v) < 32:
             raise ValueError("SECRET_KEY must be at least 32 characters long")
+        
+        # Check if we're in testing mode
+        testing = info.data.get('TESTING', False)
+        
+        # Allow CHANGE_ME prefix only in development/testing
         if v == "your_secret_key_here" or v == "default_secret_key":
             raise ValueError("SECRET_KEY must not use default placeholder values")
+        if v.startswith("CHANGE_ME") and not testing:
+            raise ValueError("SECRET_KEY must not use default placeholder values (CHANGE_ME detected)")
+        
         return v
 
     class Config:
diff --git a/backend/tests/.env.test b/backend/tests/.env.test
@@ -1,5 +1,5 @@
 PROJECT_NAME=integr8scode_test
-SECRET_KEY=your_test_secret_key_here
+SECRET_KEY=thisisatestsecrektkeythatshouldbe32characterslong
 MONGODB_URL=mongodb://localhost:27017
 KUBERNETES_CONFIG_PATH=/../kubeconfig.yaml
 TESTING=true
diff --git a/backend/tests/unit/test_config.py b/backend/tests/unit/test_config.py
@@ -29,6 +29,7 @@ def test_secret_key_too_short(self) -> None:
             assert "SECRET_KEY must be at least 32 characters long" in errors[0]["msg"]
 
     def test_secret_key_default_placeholder(self) -> None:
+        # These should always fail
         test_cases = ["your_secret_key_here", "default_secret_key"]
         
         for placeholder in test_cases:
@@ -40,6 +41,24 @@ def test_secret_key_default_placeholder(self) -> None:
                 assert len(errors) == 1
                 assert errors[0]["loc"] == ("SECRET_KEY",)
                 assert "SECRET_KEY must not use default placeholder values" in errors[0]["msg"]
+    
+    def test_secret_key_change_me_without_testing(self) -> None:
+        # CHANGE_ME should fail when not in testing mode
+        with mock.patch.dict(os.environ, {"SECRET_KEY": "CHANGE_ME_this_is_a_dev_key_min_32_chars_required", "TESTING": "false"}, clear=True):
+            with pytest.raises(ValidationError) as exc_info:
+                Settings()
+            
+            errors = exc_info.value.errors()
+            assert len(errors) == 1
+            assert errors[0]["loc"] == ("SECRET_KEY",)
+            assert "CHANGE_ME detected" in errors[0]["msg"]
+    
+    def test_secret_key_change_me_with_testing(self) -> None:
+        # CHANGE_ME should be allowed in testing mode
+        with mock.patch.dict(os.environ, {"SECRET_KEY": "CHANGE_ME_this_is_a_dev_key_min_32_chars_required", "TESTING": "true"}, clear=True):
+            settings = Settings()
+            assert settings.SECRET_KEY == "CHANGE_ME_this_is_a_dev_key_min_32_chars_required"
+            assert settings.TESTING is True
 
     def test_secret_key_valid(self) -> None:
         valid_key = "a" * 32  # 32 character key
